The present invention relates to policy rule based operations and more particularly to policy rule based computer network systems such as computer networks.
Computer networks have grown increasingly complex with the use of distributed client/server applications, mixed platforms and multiple protocols all in a single physical backbone. The control of traffic on networks is likewise moving from centralized information systems departments to distributed work groups. The growing utilization of computer networks is not only causing a move to new, high speed technologies, but is at the same time making the operation of computer networks more critical to day to day business operations. The use of quality of service (QoS) criteria for managing and/or contracting communication service level agreements (SLAs) is becoming increasingly common in networks, such as networks supporting Internet protocol (IP) communications.
The Internet Engineering Task Force (IETF) has proposed a set of policy schemas (object oriented models of policy classes and policy attributes) and a policy framework for managing future networks. The IETF proposed policy based networking technology is described in the Internet draft entitled xe2x80x9cPolicy Core LDAP Schema,xe2x80x9d draft-IETF-policy-core-schema-07.txt, Jul. 14, 2000 (xe2x80x9cIETF proposalxe2x80x9d). Among other things, the IETF proposal includes three policy classes referred to as policy rule, policy Action and policy Condition respectively. A policy rule (class policyRule) has the following semantics: xe2x80x9cIf Condition then Action.xe2x80x9d In other words, the actions (class policyAction) specified by a policy Rule are to be performed/executed only if the policy condition (class policyCondition) evaluates to TRUE.
Stated differently, the IETF proposal provides policy conditions which represent a set of criteria that are used to identify various groupings, such as host(s), routing, application(s), on which, if the condition evaluates to TRUE (i.e., is met), appropriate actions are performed. The application condition group, for example, includes, among other things, an attribute that is used to identify the content of the application data to be used in the policy condition evaluation. This data, for web requests, generally represents the Universal Resource Indicator (URI) portion of the Universal Resource Locator (URL) or the directory where the object of the request is located.
In addition to the network environment, various other areas are dependent upon operations which are policy rule based. Thus, structuring procedures or methods based upon a policy expressed as xe2x80x9cIf Condition then Actionxe2x80x9d may be generalized across a broad scope of applications where similar issues of implementation may be encountered. Some of these application environments operate under conditions without time constraints. However, implementation of such policy rule based operations in time sensitive environments, such as a high speed network environment, can place time critical demands on processing capabilities of various network communication server devices. Rapid detection of the application data type or other aspects of a communication packet processed by a communication server may be critical, for example, where service differentiation by different data types is utilized to guarantee service level agreements (SLAs) related to QoS.
As an example, in the environment of the worldwide web (Web), each hypertext transport protocol (HTTP) type request can result in different data type(s) being sent to a requesting client device from a server device. For example, an HTTP request may call for video/audio data streaming, transaction oriented data, FTP data, etc. Different data types may require different service levels to be assigned while the data is being transmitted to the client. For instance, File Transfer Protocol (FTP) type data generally requires low loss but is not highly sensitive to delays whereas video/audio data will typically be sensitive to delay but not to loss. Complex policy rule based schema, such as the IETF proposal, reference multiple levels of policy conditions to be evaluated in order to determine if a policy action specified by a corresponding complex policy rule should be executed. This may be understood by reference to its essential opposite which would be a simple policy rule containing all the elements (e.g., attributes) of policy conditions as part of the rule definition rather than relying upon explicit references to policy conditions. Such complex policy rules are evaluated so as to determine whether an associated action for the policy rule should be executed.
Embodiments of the present invention include methods, systems and computer program products which provide for processing a complex policy rule structured in a plurality of levels wherein the complex policy rule selects an action for execution based on a plurality of individual policy conditions each of the individual policy conditions being expressed as ranges and being associated with one of the levels. It is determined if the complex policy rule is a conjunctive normal form (CNF) policy rule. An event is received having an associated value defining a point in a space covered by the individual policy conditions. The following operations are performed if the complex policy condition is a CNF policy condition. A plurality of summary conditions are generated, each of the summary conditions being associated with one of the levels. The associated value of the received event is compared to a selected one of the summary conditions to determine if the selected one of the summary conditions is met. The complex policy rule may be skipped if the selected one of the summary conditions is not met. Operations repeat for others of the summary conditions and individual policy conditions until either one of the summary conditions is not met or all individual policy conditions for one of the levels are not met or until at least one of the individual policy conditions for each level is met. The complex policy rule may be skipped if either one of the summary conditions is not met or all individual policy conditions for one of the levels are not met.
In further embodiments of the present invention, methods are provided for processing a complex policy rule structured in a plurality of levels wherein the complex policy rule selects an action for execution based on a plurality of individual policy conditions, each of the individual policy conditions including a plurality of groups and being expressed as ranges for each of the groups. It is determined if the complex policy condition is a conjunctive normal form (CNF) policy condition. An event is received, the event having associated values defining a point in a space covered by the plurality of conditions. If the complex policy rule is a CNF policy rule, the following operations are performed. A plurality of summary conditions are generated, each of the summary conditions being associated with a respective one of the groups for a respective one of the levels. A respective one of the associated values of the received event is compared to an associated selected one of the summary conditions, the selected one of the summary conditions being associated with the same group of policy conditions as the respective one of the associated values of the received event, to determine if the associated one of the summary condition is met. The complex policy rule may be skipped if the associated one of the summary conditions is not met.
Comparison operations repeat for others of the summary conditions and individual policy conditions until either one of the summary conditions is not met or all individual policy conditions for one of the levels are not met or until at least one of the individual policy conditions for each of the levels is met. The complex policy rule may be skipped if either one of the summary conditions is not met or all individual policy conditions for one of the levels are not met. If the complex policy rule is a CNF policy rule, the action is executed if at least one of the individual policy conditions for each of the levels is met.
In other embodiments of the present invention, at least one of the groups is selected from the group consisting of source device internet protocol (IP) address range, destination device IP address range, inbound interface identifier (ID) range, outbound interface ID range, source device port number range, destination device port number range, protocol ID range, application name and application data classification. Summary conditions in various embodiments are provided by establishing a lowest starting value of one of the groups of one of the individual conditions associated with a level as a start value of a summary condition for that group for that level and establishing a highest ending value of the one of the groups of the one of the individual policy conditions associated with that level as an end value of the summary condition for that group for that level.
An all inclusive range may be provided as a summary condition for a group for a level if the associated range for that group of one of the individual policy conditions associated with that level is a unitary point of a first value and another of the individual policy conditions associated with that level for that group is a unitary point of a second value different from the first value. An all inclusive range may further be provided as a summary condition for a group for a level if the associated range for that group of one of the individual policy conditions associated with that level is all inclusive. In particular embodiments, one of the summary conditions most likely to not be met is selected first for testing.
In various embodiments of the present invention, comparing operations for others of the summary conditions and individual policy conditions includes comparing the associated values of the received event to ones of the individual policy conditions associated with the same level as one of the summary conditions which is met to determine if any of the individual policy conditions associated with the same level as one of the summary conditions which is met are met. In further embodiments of the present invention, comparing operations for others of the summary conditions and individual policy conditions include selecting another one of the summary conditions associated with the same level as the selected one of the summary conditions and associated with a different group of policy conditions and comparing one of the associated values of the received event associated with the different group to the another one of the summary conditions to determine if the another one of the summary conditions is met. Operations continue with others of the summary conditions until at least one of a summary condition is not met or all of the summary conditions associated with the same level are met. The associated values of the received event may further be compared to ones of the individual policy conditions associated with a level to determine if any of the individual policy conditions associated with the level are met if all of the summary conditions associated with the same level are met.
In further embodiments of the present invention, comparison operations for individual policy conditions associated with the same level are followed by comparing the associated values of the received event to ones of the summary conditions associated with another one of the levels to determine if any of the summary conditions associated with another one of the levels is not met. The associated values of the received event are then further compared to ones of the individual policy conditions associated with the another one of the levels if all of the ones of the summary conditions associated with the another one of the levels are met to determine if any of the ones of the individual policy conditions associated with the another one of the levels are met. Such level by level operations may repeat for others of the plurality of levels until either one of the summary conditions is not met or all individual policy conditions for one of the levels are not met or until at least one of the individual policy conditions for each level is met.
In other embodiments of the present invention, it is determined if the complex policy rule is a disjunctive normal form (DNF) policy rule and, if so, the following operations are performed. A plurality of collapsed conditions is generated, each of the collapsed conditions being associated with one of the levels and having a range for each group of policy conditions. The associated values of the received event are compared to a selected one of the collapsed conditions to determine if the selected one of the collapsed conditions is met. Another one of the collapsed conditions is selected and compared to the associated values of the received event to determine if the selected another one of the collapsed conditions is met if the previously selected one of the collapsed conditions is not met. Operations continue for others of the collapsed conditions until either a collapsed condition is met or all of the collapsed conditions are not met. The action associated with the complex policy rule is executed if one of the collapsed conditions is met and the complex policy rule is a DNF policy rule.
In further embodiments of the present invention, it is determined that a collapsed condition is not met if any one of the ranges of the collapsed condition is not met. One of the plurality of collapsed conditions which is most likely to be met may be selected to be the first one of the plurality of collapsed conditions to be compared to a received event. In other embodiments of the present invention, an intersection of associated ranges of all individual policy conditions associated with each group of policy conditions included in a particular level is established as one of the plurality of collapsed conditions associated with the particular level.
While the invention has been described above primarily with respect to the method aspects of the invention, both systems and/or computer program products are also provided.